SSDEEP(1)                            Kyrus                           SSDEEP(1)



NAME
       ssdeep - Computes context triggered piecewise hashes (fuzzy hashes)


SYNOPSIS
       ssdeep [-m <file>] [-k <file>] [-vdprgsblcxa] [-t val] [FILES]
       ssdeep [-V|h]


DESCRIPTION
       Computes  a  signature  based on context triggered piecewise hashes for
       each input file, also called a fuzzy hash.  If requested,  the  program
       matches those signatures against a file of known signatures and reports
       any possible matches.  It can also examine one or more files of  signa-
       tures  and find any matches in those files.  Output is written to stan-
       dard out and errors to standard error.  The program  only  accepts  the
       first 100MB of data presented via standard input.


       -m <file>
              Loads  the  specified file of known hashes to be used for match-
              ing. This file must be a previous output  of  the  program.  The
              program  then hashes each entry in FILES and compares these sig-
              natures to the known signatures.  Any matches which score  above
              the  threshold  are  displayed.   This flag may be used multiple
              times to load more known signatures.  This flag may not be  used
              with the -k or -x flags.


       -k <file>
              Load the specified file of known hashes to be used for matching.
              This file must be a previous output of the program. The  program
              then  treats  each  entry  in  FILES as a set of known hashes as
              well. The hashes in these FILES are compared to the known hashes
              from this file. Matches which score above the threshold are dis-
              played. Both the file specified here and the input FILES  should
              contain  fuzzy  hashes.  This flag may be used multiple times to
              load more known signatures.  This flag may not be used with  the
              -m, -d, or -p flags.


       -v     Verbose mode. The name of each file is printed to standard error
              as it is being hashed.


       -d     Computes a signature for each entry in the FILES and compares it
              to  the  set  of known signatures. Matches which score above the
              threshold are displayed. The computed signature is then added to
              the set of known signatures.  This flag may not be used with the
              -k or -x flags.


       -p     Works like the -d flag, but displays all matches for each  file.
              That  is,  for  two  files  A  and B which match score above the
              threshold, displays "A matches B" and "B matches A".  This  flag
              may not be used with the -k or -x flags.


       -r     Enables   recursive  mode.  All  subdirectories  are  traversed.
              Please note that recursive mode cannot be used  to  examine  all
              files  of a given file extension. For example, invoking the pro-
              gram with -r *.txt will examine all files  in  directories  that
              end  in  .txt.   If you want to process all files in a directory
              tree with the .txt suffix, try using the find(1) command.


       -g     Similar files are grouped together into clusters.  This  can  be
              handy  for  finding  more  similar  files.  That  is, if you are
              searching for file A, which matches B, anything which matches  B
              will also be included in the cluster.


       -s     Silent mode. All error messages are suppressed.


       -b     Enables bare mode. Strips any leading directory information from
              displayed filenames.  This flag may not be used  in  conjunction
              with the -l flag.


       -l     Enables  relative  file  paths. Instead of printing the absolute
              path for each file, displays the relative file path as indicated
              on  the  command  line. This flag may not be used in conjunction
              with the -b flag.


       -c     Enables comma separated output mode.  In  any  of  the  matching
              modes  -d,  -p, or -m, displays the results as input file, known
              file, matching score.


       -x     Signature file matching.  Each entry in FILES must contain  sig-
              natures generated by a previous output of the program. Each sig-
              nature is loaded and compared against the set of  known  hashes.
              Match  scores  above the threshold are displayed. Each signature
              is then added to the set of knowns.  This flag may not  be  used
              with the -m, -d, or -p flags.


       -a     Displays  all matches in any of the matching mode, regardless of
              score.  Using the -a flag displays  all  results,  even  if  the
              match score is zero.


       -t <val>
              In  any  of  the matching modes, only display matches when match
              score is greater than the given  value.  The  default  threshold
              value is zero.


       -h     Show a help screen and exit.


       -V     Show the version number and exit.



RETURN VALUE
       Returns 0 on success, 1 if there is a problem.  Read errors, permission
       denied, and encountering directories while not in  recursive  mode  are
       still  considered  successes.  Problems are things like being unable to
       load the matching file, specifying both bare and relative paths, etc.


AUTHOR
       ssdeep was written by Jesse Kornblum of Kyrus,
       research@jessekornblum.com



COPYRIGHT
       This program is Copyright (C) 2012 Kyrus  and  is  licensed  under  the
       terms  of the General Public License. See the file COPYING for details.


SEE ALSO
       This program is based on SpamSum by Dr. Andrews Tridgell.
       http://www.samba.org/ftp/unpacked/junkcode/spamsum/



Kyrus                      Version 2.9 - 23 Jul 2012                 SSDEEP(1)
